The Quiet Part: What 10-K Risk Factors Say About AI in 2026

July 8, 2026
 / 
Jack Shoemaker

Powered by Context Analytics Corporate Filings Intelligence

Last week I asked a question that doesn't get asked often enough: what does corporate America actually believe can go wrong with AI? Not the conference-keynote version, and not the think-piece version. The version companies put in writing under securities law, with their lawyers reading over their shoulder.

The risk factors section of the 10-K is where a companies say the quiet part out loud. The risk factors tell you what the general counsel loses sleep over. And in 2026, that section has quietly become a genuinely useful AI dataset that few read or report on.

Few read it because until recently it required advanced financial knowledge to understand, and because of the sheer volume. There are 6,258 U.S. 10-Ks in our corporate filings database filed between January and early July of 2026, the vast majority covering fiscal year 2025, at a few hundred pages each. That is more text than an analyst will get through in a career. With the CA’s Corporate Filings Intelligence , I queried all of them in a few minutes.

Of 6,258 U.S. 10-Ks filed in 2026, 3,545 mention artificial intelligence. That's 57% of corporate America formally telling the SEC that AI matters to its business, and in most cases telling investors exactly which parts worry them.

The headline number: 57% and climbing the org chart

The raw penetration figures first, pulled straight from the filings index.

AI IN 2026 CORPORATE FILINGS

Filing typeFilings indexedMention AIShare
10-K (annual reports)6,2583,54557%
S-1 (IPO registrations)1,39860944%
Earnings call transcripts23,27511,04447%

Nearly half of all earnings calls this year touched on AI, and 1,709 of those calls paired it with ROI language. The question executives are fielding has shifted from “what's your AI strategy” to “when does it pay for itself.” A healthier question. Also a more difficult one.

The 10-K number is the one I keep coming back to, though. An earnings call mention can be a throwaway line. A 10-K mention went through legal review. When 57% of annual reports discuss AI, and 1,098 of them specifically flag risks arising from the company's own use of it, the adoption is real enough to have a paper trail.

What are companies worried about?

I ran the specific risk vocabulary through the full text of every filing to see which concerns show up, and how often.

THE 2026 AI RISK TAXONOMY (10-K FILINGS)

Risk themeFilingsWhat the language looks like
Falling behind (“keep pace” + AI)1,121Competitors adopting AI faster than we can
AI-enabled cyber threats (“threat actors” + AI)1,082Attackers using AI against our defenses
Model bias (“biased” + AI/ML)932Flawed or biased outputs harming customers or reputation
Regulation (EU AI Act cited by name)506Compliance costs across fragmented jurisdictions
Third-party AI dependency381Reliance on vendors' models we don't control
AI-generated content288Provenance, IP, and authenticity questions
Deepfakes202Impersonation and fraud risk
Hallucinations177Models confidently producing wrong answers

Source: fillings_sec_10k index, 2026.

Look at what tops the list. The most common AI risk in corporate America is not that AI fails. It's that the company fails to adopt it fast enough. Over a thousand companies told the SEC, in effect: our biggest AI risk is our competitors' AI. If you build AI for a living, finding that sentiment in the most cautious document a company produces is strange and, honestly, encouraging.

Second place is more sobering. Almost as many companies flagged AI in the hands of attackers as flagged competitive displacement. AI now sits on both sides of the cybersecurity ledger, and the filings show companies pricing that in.

The taxonomy gets more interesting when you attach names to it. Two filings from this year, from opposite ends of the AI story:

JPMorgan Chase wrote nearly the whole taxonomy into a single risk factor. Inaccurate or biased output from rapid deployment and insufficient testing. AI-enabled cyber threats, including malicious actors using AI to reverse-engineer security patches and run more convincing social engineering. A rapidly evolving and internationally inconsistent regulatory picture that could raise costs and restrict how the bank uses the technology. Competitive disadvantage if rivals deploy faster. Then it adds two worries most filings haven't caught up to yet: agentic systems taking actions without safeguards that keep them away from sensitive data, and AI agents autonomously managing customers' financial decisions in a way that could disintermediate the bank's own customer relationships. Sit with that last one. The largest bank in the country is on record worrying that its customers' AI might one day stand between it and its customers.

PPL Corporation, a utility serving Pennsylvania and Kentucky, has the most inverted AI risk in the set. The filing says load growth from data centers and large customers, driven by an increasingly digital economy and by AI specifically, is the premise behind its generation and transmission investment plans. The disclosed risk is not the technology. It's the forecast: if that AI-driven demand doesn't show up as projected, or shows up and doesn't stay, the capital is already committed. So while a thousand-plus companies file the risk of under-investing in AI, the utility files the risk of over-building for it, with permitting, land, labor shortages, and construction overruns stacked on top. For a power company, AI is not a software question. It's a bet on someone else's demand curve.

Two companies, two sectors, and between them both failure directions: AI working so well it rearranges who owns the customer, and AI demand falling short after the concrete is poured.

My favorite detail in the whole dataset: “hallucinations” now appears in 177 annual reports. Not from AI labs. The list includes a specialty pharmaceutical company and a community bank in Connecticut. When a term of art from machine learning research shows up in a community bank's risk factors, the technology has fully left the tech sector.

The sector surprise: utilities are almost as AI-obsessed as tech

I expected the sector breakdown to be a boring staircase with Information Technology at the top. It mostly is. Except for one line.

SHARE OF 10-Ks MENTIONING AI, BY GICS SECTOR 

Sector10-Ks filedMention AIShare
Information Technology48036476%
Utilities906774%
Industrials46032370%
Consumer Discretionary39527169%
Communication Services17411968%
Health Care85255265%
Financials1,34972554%

Source: 2026 10-K index, GICS sector classification.

Utilities. Within two points of the technology sector itself. Companies that generate and deliver electricity are discussing AI at nearly the same rate as companies that build it, because AI's appetite for power has turned grid capacity into a strategic asset. Data center demand shows up in utility filings as opportunity, as capex, and sometimes as risk in the same paragraph. PPL's filing, above, is that pattern in miniature.

This is a second-order effect that people have been theorizing about for two years. The filings settle it. The AI buildout has become an infrastructure story, and the infrastructure companies are saying so in writing.

The cost question nobody puts in the press release

Underneath the legal language, every AI risk in the taxonomy above is a cost.

Compliance with the EU AI Act and the growing patchwork of state rules means legal and audit spend. Defending against AI-enabled threat actors means security spend. Validating models for bias and hallucination before they touch customers means the whole model-governance apparatus that banks have run for years under SR 11-7, which everyone else is now discovering, along with its price tag. And “keeping pace with competitors” is a polite phrase for capex, talent, and cloud bills.

The filings don't read like retreat, and they shouldn't. You don't warn investors about the compliance costs of a technology you aren't using. Disclosure follows deployment, and deployment is where hypothetical risks turn into budget line items.

That's a framing our industry should be comfortable with. Everything on a balance sheet carries risk. What matters is whether a company can see its AI risks clearly enough to manage them, and the 3,545 companies naming theirs in public filings are, at minimum, looking.

The bottom line

Five years ago, AI risk in a 10-K was boilerplate, a sentence borrowed from a peer's filing. In 2026 it's specific. Companies cite the exact regulation and describe the exact failure mode, and a growing number are putting figures on the cost. Specificity is the part I trust. A vague risk is one you haven't met yet. A company that names the regulation and the failure mode has usually already spent money on both.

For anyone allocating capital, that's the opportunity hiding in the least glamorous section of the least glamorous document in finance. The gap between companies that disclose AI risk thoughtfully and companies that paste boilerplate is a signal, and it sits in a corpus far too large to read by hand.

So what does corporate America actually believe can go wrong with AI? Falling behind, mostly. Then everything else: attackers with better tools, models that are confidently wrong, regulators who haven't agreed with each other yet, and demand forecasts with billions of dollars leaning on them. Notice what's missing. Not one of those 3,545 companies is arguing against the technology. They're working out how to carry it, and they're doing that work on the record.

That record used to take a research team weeks to read. Now it's a query. The answers have been sitting in EDGAR the whole time. Go ask them something.

This analysis is a glimpse into what's possible when institutional-grade filings intelligence meets real-time social sentiment data.

Learn more about how Context Analytics powers next-generation investment research at www.contextanalytics-ai.com.

This post is for informational purposes only and does not constitute investment advice. All filing counts from 2026 U.S. filing indices. Sentiment data from Context Analytics S-Factor feed, July 6, 2026.

©2022 - Context Analytics | All right reserved | Terms and conditions
cross